External PKI Certificates for Client-Server Communication

By default, Check Point servers and clients use certificates signed by the internal Check Point Certificate Authority (CA) for client-server communication, authentication, and data encryption. You can overwrite the default certificates with certificates generated by an external CA.

These types of certificates are supported, in .p12, .pem, and .crt formats:

  • CA - Public certificate that is used to validate other certificates issued by the same CA. It is installed on clients using Push Operations.

  • SSL - Certificate for the Apache server component of each server for SSL communication.

  • Remote Help - Full Disk Encryption that is installed on the client uses this certificate to work with the Remote Help server for password recovery.

  • Unlock on LAN - Full Disk Encryption that is installed on the client uses this certificate for authentication with the Unlock on LAN feature.

Import certificates and install them on servers and clients, as necessary.

Importing External PKI Certificates

The import procedure is the same for all types of external certificates.

SSL certificates must contain a server DN. If they contain a DN for a server which does not exist, a warning shows. The user can choose to proceed.

To import an external certificate:

  1. Open SmartEndpoint.

  2. From the Menu, go to Manage > Certificate Management.

    The Endpoint Security Management window opens.

  3. Click Import.

    The Import Certificate Wizard opens.

  4. On the Import Certificate page:

    1. Select the certificate type.

    2. Insert the certificate file. You can drag and drop the file into the window or navigate to it from the folder icon.

    3. Optional: Enter the file's password.

    4. Optional: Enter a descriptive comment.

  5. Click Next.

    See Certificate Imported Successfully.

  6. If the imported certificate requires a private key and does not include it, the Import Private Key page opens:

    1. Insert the private key file. You can drag and drop the file into the window or navigate to it from the folder icon.

    2. Enter the file's password, if necessary.

    3. Click Next.

    4. Click Finish.

  7. If the imported certificate does not include a CA certificate, the Import CA Certificate page opens:

    1. Insert the file. You can drag and drop the file into the window or navigate to it from the folder icon.

    2. Enter the file's password, if necessary.

    3. Click Next.

      See Private Key Imported Successfully.

    4. Click Finish.

  8. Click Finish.

  9. Click Close.

Installing CA Certificates on Clients

To install a CA certificate:

  1. Open SmartEndpoint.

  2. In the Users and Computers tab, in the Global Actions section, click Push Operation.

    The Create Push Operation wizard opens.

  3. At the top, select Client Settings.

  4. Select Push CA Certificate and click Next.

  5. Select the computers to push the certificate to.

  6. Click Next.

  7. Click Manage.

  8. Select the certificate and click Assign.

  9. Optional: Enter a descriptive Comment.

  10. Click Next.

  11. Click Finish.

A SmartEndpoint notification shows the number of clients the certificate was pushed to.

See the Push Operations report in the Reporting tab for more information about the operation.

Installing SSL Certificates on Servers

To install an SSL certificate on an Endpoint Security server:

  1. Open SmartEndpoint.

  2. Go to Manage > Endpoint Servers.

  3. Select a server and click Edit.

    The Endpoint Server Wizard opens.

  4. Click Next.

  5. Click Manage to select an SSL certificate for the server.

  6. Select the relevant certificate from the list and click Assign.

    Note - The server name in the Issued To field of the selected SSL certificate should be identical to the server's DN. Hover over the selected certificate to see the complete information.

  7. Click Next.

  8. Select the server with the new certificate to Install Database.

  9. Click Finish.

    See The installation process finished.

  10. In a High Availability environment, Install Database again on the secondary server.

Replacing SSL Certificates in an Existing Environment

We recommend that you implement the new SSL certificates gradually. After an SSL certificate is replaced on a server, clients who do not have the related CA certificate will not be able to send SSL messages (for example, Full Disk Encryption blade payloads and Audit logs) to that server.

To replace SSL Certificates in an existing environment:

  1. Import a new CA certificate.

  2. Import a new SSL certificate for each server.

  3. Use Push Operations to push the new CA certificate to a small OU or group of devices.

    A device will report the push operation at 20% with this message: CA certificate received by Endpoint. This occurs when it has downloaded new CA certificate and is trying to find a server with an SSL certificate signed by same CA.

  4. Install the new SSL certificate on one of the servers accepting clients.

  5. Wait for all of the clients' Push Operation status to be completed.

  6. Repeat step 2 to gradually migrate more servers to new SSL certificates.

    Repeat steps 3-5 to migrate more clients.

    Do the procedures on the primary and secondary servers last.

Installing Full Disk Encryption Certificates

To install a Remote Help or an Unlock on LAN certificate:

  1. Open SmartEndpoint.

  2. In the Users and Computers tab, select the Entire Organization folder, and click Manage Certificates.

  3. Click the Manage button next to Remote Help Certificate or Unlock on LAN Certificate.

  4. Select the Remote Help or Unlock on LAN certificate and click Assign.

  5. A message shows, asking if you would like to install the policy now. Click Yes or No.

  6. If you clicked Yes to install the policy, a message shows that all changed data must be saved. Click Yes to save changes and continue.

  7. Click Install.

Installing Certificates for Offline Groups

Offline Groups can use external certificates for Remote Help. The default setting is Use internally generated certificate, which uses the internally generated certificate.

To install an external certificate for an Offline Group:

When creating an offline group:

  1. In the Offline Group Settings, select Select existing certificate.

  2. Click Manage and select the certificate from the list or click Import to get the certificate.

  3. Click Assign.

  4. Continue with the New Offline Group wizard, as described in Configuring an Offline Group.

When editing an existing offline group:

  1. Go to Group Details and click Edit.

  2. Click Manage and select the specific certificate.

  3. Click OK.

Monitoring Certificates

You can monitor the certificates on each server and computer from the Reporting tab > Activity Reports > Endpoint Connectivity.

These columns of the report relate to the certificates installed (the columns are hidden by default):

  • Active Certificate - Shows the details of the currently active CA certificate on the computer.

  • StandBy Certificate - Shows the details of a CA certificate in standby state on the computer. This CA is not used but can be used in the future.

  • Active Certificate Applied On. - Shows the date when the currently active CA certificate became active.